Hi, Bernhard has pointed out the most obvious method of reducing this. If you do need to put in additional validation after logon then you can use exit SUSR001 to insert new code (caveat, this will cover gui logon but not other methods of accessing the system).
More strategically would be to use an SSO solution. It may be anecdotal but in my experience users are much less likely to share the password to their laptop/workstation/email/network than they are an application like SAP.